sigma-rules/rules/aws/impact_ec2_disable_ebs_encryption.toml

[metadata]
creation_date = "2020/06/05"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/05"

[rule]
author = ["Elastic"]
description = """
Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling
encryption by default does not change the encryption status of your existing volumes.
"""
false_positives = [
    """
    Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent,
    and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-20m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS EC2 Encryption Disabled"
references = [
    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html",
]
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["AWS", "Elastic"]
type = "query"

query = '''
event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1492"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1492/"


[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"